Re: Keysigning in times of COVID-19

To: Debian project <debian-project@lists.debian.org>
Subject: Re: Keysigning in times of COVID-19
From: Gerardo Ballabio <gerardo.ballabio@gmail.com>
Date: Fri, 7 Aug 2020 10:34:20 +0200
Message-id: <[🔎] CA+f80t5DzcbuiDdq_4Jt4wZudNf7gUUrK7tbAeRnO7qVxc9VWQ@mail.gmail.com>

Johannes Schauer wrote:
> So in my opinion (and please correct my assumptions if they are wrong), an acceptable key signing policy would also be one, where a prospective DM has shown over several months to produce work that is always signed with the same key and maybe even communicated (for example via email, maybe even encrypted) using that GPG key.

I agree that it would be ok to sign that key.

However, suppose that the key gets lost or compromised.
Then the prospective DM creates a new key and asks you to sign it.
How would you verify that the person that shows up with the new key is
the same person that you have been working with?

I can't think of an answer that doesn't require connecting the person
to a verified personal identity (that may or may not be a
government-certified name).

Gerardo

Reply to:

Follow-Ups:
- Re: Keysigning in times of COVID-19
  - From: Jonas Smedegaard <dr@jones.dk>

Prev by Date: Re: Keysigning in times of COVID-19
Next by Date: Re: Keysigning in times of COVID-19
Previous by thread: Re: Keysigning in times of COVID-19
Next by thread: Re: Keysigning in times of COVID-19
Index(es):
- Date
- Thread